dfDewey is a digital forensics string extraction, indexing, and searching tool.

Usage

dfDewey currently requires bulk_extractor for string extraction.

bulk_extractor can be installed from the GIFT PPA.

sudo add-apt-repository ppa:gift/stable
sudo apt update
sudo apt install -y bulk-extractor

bulk_extractor can also be downloaded and built from source here: https://github.com/simsong/bulk_extractor

Note: bulk_extractor v2.0.3 or greater is required.

dfVFS is required for image parsing. It can be installed from the GIFT PPA.

sudo add-apt-repository ppa:gift/stable
sudo apt update
sudo apt install -y python3-dfvfs

It can also be installed using pip:

pip install -r dfvfs_requirements.txt

OpenSearch and PostgreSQL are also required to store extracted data. These can be installed separately or started in Docker using docker-compose.

cd docker
sudo docker-compose up -d

Note: To stop the containers (and purge the stored data) run sudo docker-compose down from the docker directory.

dfDewey will try to connect to datastores on localhost by default. If running datastores on separate servers, copy the config file template dfdewey/config/config_template.py to ~/.dfdeweyrc and adjust the server connection settings in the file. You can also specify a different config file location on the command line using -c.

python setup.py install

Note: It's recommended to install dfDewey within a virtual environment.